httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sutton <>
Subject Re: apache week and cookies and a patch
Date Fri, 31 May 1996 10:08:36 GMT
On Thu, 30 May 1996, Rob Hartill wrote:
> "When a CGI program sends multiple cookie headers (Set-Cookie:), Apache
>   merges them into one HTTP header. It does this with all headers of the
>   same name, since this is a standard part of the HTTP specification.
>   Unfortunately, the Netscape cookie specification does not allow
>   multiple cookies on one header, but does allow multiple Set-Cookie:
>   headers. While this breaks the HTTP specification, Apache will probably
>   be updated in a future to send multiple cookies"
> Would multiple cookie headers break the HTTP spec?   I think not.
> My reading of the spec a while back gave me the impression that
> multiple headers and merged headers are equivalent. Merged headers
> are prefered because they save bandwidth.

Yes, that's exactly the point [I wrote that bit of apache week, BTW].
Multiple headers are equivalent to a single header with comma-separate
parts, but the Netscape cookie spec gives no representation for a
comma-separated list on the Set-Cookie: header.  So the Netscape spec is
broken with regard to the HTTP 1.0 spec.

The issue then is whether Apache should be updated to reflect the Netscape
cookie implementation over and above the HTTP specification. Apache will
still be HTTP/1.0 compliant, but it will have to be hacked to know that in
one particular case, it cannot merge multiple headers into one. That is
what I meant when I referred to the Netscape spec 'breaking' the HTTP/1.0

I've attached a simple patch which does this, if desired. The patch adds a
new table function, table_add(), in alloc.c which adds a duplicate key
into a table, then duplicate set-cookie headers as table_add()'ed to the
outgoing headers in scan_script_header(), if the NETSCAPE_COOKIE_HACK
define is set.

In detail, the new RFC1945 which defines HTTP/1.0 says:

  "Multiple HTTP-header fields with the same field-name may be present
   in a message if and only if the entire field-value for that header
   field is defined as a comma-separated list" [1] para 4.2

But the Netscape spec defines the Set-Cookie header with
no representation of multiple cookies on a single header (i.e. no
comma-separated list):

  "Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
	domain=DOMAIN_NAME; secure" [2]

Therefore, from [1], multiple Set-Cookie: headers are not allowed.



Paul Sutton, Technical Director, UK Web ---

View raw message